Some surgeries have been cancelled at Eastern Health facilities in Victoria, following a “cyber incident” experienced late Tuesday.Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals, and has many more facilities under management. In a statement, Eastern Health said it took many of its systems offline in response to the incident.”Many Eastern Health IT systems have been taken off-line as a precaution while we seek to understand and rectify the situation,” it said.”It is important to note, patient safety has not been compromised.”Eastern Health said Category 1 Elective Surgery will continue as planned, however, the incident has impacted its ability to undertake less urgent — Category 2 and 3 — Elective Procedures.Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.

Since the mandate, health has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaHealth Minister says vaccine booking system ‘glitches’ were just day one rushThe federal government’s COVID-19 vaccine booking service was on Wednesday inundated with people trying to secure their dose, with the Department of Health’s eligibility tool suffering “problems”.According to Minister for Health Greg Hunt, day one was always going to be busy.”The eligibility checker had approximately 243,000 people on health.gov.au, check their eligibility. We had a 98% connection rate, on the advice that we’ve received from the booking engine. And then what happens is that you approach your GP, in the vast majority of cases. Some take online bookings, some take telephone booking,” Hunt said, when asked why the website was not working as expected.”And in addition to that, the Commonwealth vaccination clinics will link through directly from the vaccination information and location service. So yesterday, 98% connection, 243,000 people who checked, 9,000 who actually registered for Phase 2, which is well beyond where we are now. And so what we’ve seen is a high uptake.”And day one was always going to see a significant initial demand and I’m very pleased about that.”Due to the overload, and the fact phase 1b affects many people over the age of 70, the 1,069 GP’s listed as receiving the vaccine were inundated with phone calls.”This is a system that should have been in place well before the commencement, particularly, of phase 1b of the vaccine rollout strategy. Already, we are seeing widespread confusion and widespread frustration,” health and aged care shadow minister Mark Butler said.”The health system website continues to drop out, people are continuing to have problems logging onto a website that is the gateway to the vaccine rollout strategy.”These systems should have been tested and finalised weeks ago. Instead all we are seeing out there today is chaos and confusion.”HealthEngine was selected by the federal government to build its COVID-19 vaccination booking platform.It was reported by The Guardian that day one was actually meant to be Monday and that the medical appointment booking industry had been told to prepare their platforms to feed into HealthDirect, and for their client GP clinics to be trained with the software, by March 22.”We’ve known for months that we would need a national booking system … more than 6 million Australians are due to be able to book their vaccines from next week without a National Booking System,” Butler added. “This is utterly remarkable and irresponsible.”This vaccine rollout is fast becoming a complete mess. It is way behind schedule and the systems that we need in place are still remarkably still being built.”Almost a year ago to the day, the federal government’s myGov portal went down after thousands flocked to the website to sign up for income assistance following forced business closures in the wake of the coronavirus outbreak.The minister in charge of government services Stuart Robert said the portal suffered a distributed denial of service (DDoS) attack while simultaneously blaming the outage on legitimate traffic that pushed past the 55,000 concurrent users limit set by government.Those words were barely two hours old when Robert stood up in Parliament to say it was merely 95,000 people trying to connect to myGov that had triggered a DDoS alert, and not an attack at all.RELATED COVERAGE More

Image: Annie Spratt The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned. The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin. ZDNet has obtained copies of both data sets. […] More

On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.

ZDNet Recommends

DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry. The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary. In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.””Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.” The senators additionally claimed that current practices are “working well.”

When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required. “Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system,” Williams said. “Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security.”Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego. “There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period,” Williams noted. Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams’ concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole, and a fibre optic run is severed — connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether” Brash noted. “I hope neither occurs as that is counterproductive to the spirit of the objective and may discourage proactive action. If Biden’s XO for SBOMs and supply chain transparency overflow into rail and transportation, organizations will need accelerated security program growth and maturity yesterday. This is both a good thing and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation.” He also said overly prescriptive approaches may result in too rigid of a structure and focus on the wrong elements, leading to a checkbox ticking exercise versus actual efforts to reduce cybersecurity risk.Amir Levintal, CEO of rail cybersecurity company Cylus, said the rail industry has made significant technological advances in the last decade, with digitization helping companies improve service, efficiency, comfort, communications, and more. But these efforts have also expanded the rail industry’s threat landscape for hackers, Levintal said.  “The TSA’s new directives, which require railways to bolster their cybersecurity measures, come as a direct response to the innovations the rail industry has onboarded recently and the resulting threats, and these regulations — along with similar ones in the EU — will only evolve as new technologies continue to be adopted across the planet,” Levintal explained. Despite the concerns about the new reporting requirements, some experts said the rail industry’s cybersecurity risks outweighed worries about overzealous reporting. Coalfire vice president John Dickson said that the potential for disruption is high given existing supply chain bottlenecks and the nature of rail networks. He noted that one or two key rail lines service entire regions of North America that are vulnerable to disruption and might cripple the US economy like the Colonial Pipeline event almost did. “We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario. Ransomware specifically, and malware automation generally, has lowered the bar so significantly for attackers that DHS CISA should be concerned and is well served to push the industry more,” Dickson said. “The railroad industry, particularly the freight portion of the railroad industry, is generally not considered to be on the bleeding edge of cybersecurity. It’s doubtful that without a regulatory ‘nudge’ from the Federal government, they are likely to not increase their cybersecurity hygiene on their own accord.”Padraic O’Reilly, chief product officer of CyberSaint, called the new rules a “good and timely development” that is “long overdue” because the rail industry is a vulnerable piece of the US critical infrastructure.With the 24-hour reporting requirement as the baseline, the industry will be moved on to the right track, O’Reilly explained, adding that it was good that government agencies had consulted groups like the Association of American Railroads (AAR) before releasing the regulations. The AAR said they and other rail industry groups had been consulting with Secretary of Homeland Security Alejandro Mayorkas and the TSA since October to “revise provisions that would have posed challenges in implementation.”The group said that with the latest regulations, “a number of the industry’s most significant concerns have been addressed.” All Class I railroad and Amtrak, as well as many commuter and short line carriers, already have chief information security officers and cybersecurity leads who will serve as the required cybersecurity coordinators, according to the AAR.Many companies also conduct cybersecurity assessments on a recurring basis and have been reporting some cyber threats to CISA through AAR’s Railway Alert Network (RAN). “For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”  More

The chief security officers of Australia’s big four banks have likened combating cybersecurity attacks to playing a team sport. “I think I’m not alone in saying that we see cyber as very much a team sport,” Commonwealth Bank of Australia CISO Keith Howard said during the virtual Cyber Live event on Wednesday.”The competitors, from my perspective, is not [the other banks], it’s the attackers … at the end of the day, we’re stronger when we work across industry, across education, and also work across government as well.”This joint security effort between the big four occurs regularly, according to National Australia Bank CSO Sandro Bucchianeri.”What we typically do is we would talk about indicators of compromise and share our threat intelligence so that we can better defend ourselves because something I see at NAB, Richard may not have seen it at Westpac, or Lynwen [at ANZ] may have also seen it, so we try to compare notes essentially — and that helps us protect the wider Australian community as a whole,” he said.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Bucchianeri also emphasised the importance of having diverse skill sets to make up a strong cybersecurity team. “Just like soccer, where you have strikers, defenders, midfielders, goalkeepers, doctors, coaches, nutritionists, and the list goes on, we are looking for new diverse talent that will help us better defend the organisation. Something that I’m personally very excited about is training visually impaired students to become cybersecurity professionals,” he said.From ANZ CISO Lynwen Connick’s perspective, diversifying the cybersecurity sector is not only just about gender, but also bringing in people from other fields like psychology, media, and fashion. “People come from all different walks of life, and that’s really important from a diversity point of view as well because you get that diversity of thought,” she said. “People have had different training, different experiences coming into cybersecurity because cybersecurity is really part of everything we do, so we need all sorts of different people.”  The need to boost Australia’s cybersecurity skills comes at a time where cyber attacks are no longer synonymous with a specific sector or enterprise — rather it’s hurting all sectors. A prime example was when global meatpacker JBS last year paid $11 million in Bitcoin to cyber attackers that encrypted its files and disrupted operations in the US and Australia with ransomware.As BT Australasia cybersecurity head Luke Barker puts it, compared to a decade ago, there was nowhere near as many targeted activities towards organisations that run operational networks, such as manufacturing, mining, energy, and water, as there are today. “Ten years ago, I don’t think the adversaries were targeting those types of industries as much,” he said. “Whereas I look now and most of the organisations we work with, we’re seeing a significant rise in cybercrime against organisations that run those types of environments because the impact is so big.”If you’re having to take down an organisation’s manufacturing facility, that is the number one source of revenue, so the impact of their business and the likelihood of them potentially paying a ransom is going to be more so than say their website goes down, when their core business is manufacturing.”We’re seeing that shift towards what’s going to create the biggest impact and where are the crown jewels for that organisation.” Related Coverage More